feat(oidc): id token for device authorization (#7088)

* cleanup todo * pass id token details to oidc * feat(oidc): id token for device authorization This changes updates to the newest oidc version, so the Device Authorization grant can return ID tokens when the scope `openid` is set. There is also some refactoring done, so that the eventstore can be queried directly when polling for state. The projection is cleaned up to a minimum with only data required for the login UI. * try to be explicit wit hthe timezone to fix github * pin oidc v3.8.0 * remove TBD entry
2025-08-11 21:07:31 +00:00 · 2023-12-20 14:21:08 +02:00
parent e15f6229cd
commit e22689c125
25 changed files with 629 additions and 621 deletions
--- a/internal/domain/auth_request.go
+++ b/internal/domain/auth_request.go
@@ -110,6 +110,23 @@ const (
 	MFATypeOTPEmail
 )

+func (m MFAType) UserAuthMethodType() UserAuthMethodType {
+	switch m {
+	case MFATypeTOTP:
+		return UserAuthMethodTypeTOTP
+	case MFATypeU2F:
+		return UserAuthMethodTypeU2F
+	case MFATypeU2FUserVerification:
+		return UserAuthMethodTypePasswordless
+	case MFATypeOTPSMS:
+		return UserAuthMethodTypeOTPSMS
+	case MFATypeOTPEmail:
+		return UserAuthMethodTypeOTPEmail
+	default:
+		return UserAuthMethodTypeUnspecified
+	}
+}
+
 type MFALevel int

 const (
@@ -223,3 +240,14 @@ func (a *AuthRequest) PrivateLabelingOrgID(defaultID string) string {
 	}
 	return defaultID
 }
+
+func (a *AuthRequest) UserAuthMethodTypes() []UserAuthMethodType {
+	list := make([]UserAuthMethodType, 0, len(a.MFAsVerified)+1)
+	if a.PasswordVerified {
+		list = append(list, UserAuthMethodTypePassword)
+	}
+	for _, mfa := range a.MFAsVerified {
+		list = append(list, mfa.UserAuthMethodType())
+	}
+	return list
+}